[NTLUG:Discuss] .--verified?? -oops..sorry. nvr mind!
Chris Cox
cjcox at acm.org
Tue Sep 18 12:55:27 CDT 2001
Actually... not sure if it's Code Blue... see:
http://vil.nai.com/vil/virusSummary.asp?virus_k=99209
Richard Geoffrion wrote:
> ----- Original Message -----
> From: "Richard Geoffrion" <richard at rain.lewisville.tx.us>
> To: <discuss at ntlug.org>
> Sent: Tuesday, September 18, 2001 12:34 PM
> Subject: Re: [NTLUG:Discuss] Next IIS Virus engaged.--verified!
>
>
>
>>Win32/BlueCode.Worm
>>
>>Win32/BlueCode.Worm is an internet worm spread through unpatched Microsoft
>>Internet Information Server version 4.0 or 5.0. It exploits an
>>
> vulnerability
>
>>of the server described in Microsoft Security Bulletin MS00-078:
>>
>>(http://www.microsoft.com/technet/Security/Bulletin/ms00-078.asp)
>>
>>Patch is available for download from:
>>
>>IIS 4.0
>>
>>
> http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp
>
>>IIS 5.0
>>
>>
> http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp
>
>>Not that this a different than the vulnerability exploited by the Code Red
>>worm and that the solution requires applying a different patch than for
>>
> Code
>
>>Red.
>>
>>This vulnerability allows hackers to run executables available on the IIS
>>server. The worm starts the attack by sending a malformatted GET request
>>
> to
>
>>the web server causing the remote machine to download a malicious dll
>>
> named
>
>>HTTPEXT.DLL from exploited server. HTTPEXT.DLL is an ISAPI extension which
>>will be loaded by IIS server if requested. The worm then activate the DLL
>>
> by
>
>>sending another GET request to the attacked server. The worm's DLL
>>
> component
>
>>in turn drops the worm's executable component named SVCHOST.EXE. The
>>executable component is registered to be run on Windows restart by adding
>>the following key:
>>
>>HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Domain
>>Manager="c:\svchost.exe".
>>
>>The executable component stopped ".ida, .idq, .printer" services of IIS by
>>drop and launch a VBScript named D.VBS to the root of C drive. Between 10
>>
> to
>
>>11 am, the worm searches random IP for IIS server to spread to by sending
>>out falformatted GET request.
>>
>>The worm also launches DoS attack against a network security company in
>>China.
>>
>>Computer Associates did not receive any reports of this worm so far and
>>issued this bulletin due to client inquiries. Detection for the files
>>created by this worm will be available in eTrust Antivirus / InoculateIT 6
>>signature release 23.45.70 (Inoculate 4.x signature 27.70, Vet signature
>>1475) and higer.
>>
>>
>>_______________________________________________
>>http://www.ntlug.org/mailman/listinfo/discuss
>>
>>
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>
>
More information about the Discuss
mailing list